Topics to be covered ▪ Introduction ▪ Policy as a Project ▪ Cyber Security Management ▪ Arriving at Goals ▪ Cyber Security Documentation
▪ Using the Catalog
Introduction ▪ There is no single right way to make sure people are really understanding and following cyber security policy. ▪ But consciously or unconsciously, every good leader has a method of getting important messages across. ▪ The middle and lower-level managers facilitate their own business day-to-day. ▪ These occasionally have unintended consequences on an organization’s overall cyber security posture. ▪ They require a timely response. Cont’d… ▪ Adjustments in both strategy and policy must be customized to the evolving requirements of the organization. ▪ This means cumulatively they point to where formal policy should evolve. ▪ In order to be effective, cyber security strategy must be a mainstream part of business, system, or mission planning. ▪ It should not be a sub-component of a technology-only function. ▪ Security theater is created when security concerns within the business prompt action. ▪ But the action is more visible than effective. Cont’d… ▪ This is because people think something needs to be done about security. ▪ So they create activity that looks like security where they think people want security to be in place. ▪ Security theater does not actually prevent anything bad from happening. ▪ It just creates the illusion that security is in place. ▪ A common approach to ad hoc security theater is to make it apparent that cyber security policy affects technology usability. Cont’d… ▪ Make it harder for people to get into the network, to get to their data, to use applications, and so on. ▪ Security is somehow perceived as equivalent to cumbersome levels of approval. ▪ And to authorization workflows that present obstacles to gaining cyber access. ▪ True security and security theater may have the same requirements. Policy as a Project “Cyber security easily lends itself to a Drucker-style management cycle for managing by objectives and self-control, observing and revising plans based on observations”. (Drucker 2001) ▪ The management style also follows military security recommendations for managing battle-action: ▪ observe the situation, ▪ orient observations based on background knowledge and analysis, ▪ decide on a course of action, act, and ▪ observe the impact of actions on the situation. ▪ These activities, in combination, comprise the management cycle of an enterprise security program. Cont’d… ▪ The process by which cyber security policy is established is a part of that program. ▪ The establishment of cyber security policy requires task definition, planning, and clear objectives for important initiative. ▪ To create cyber security policy is a project, and should be managed as one. ▪ As with any project, cyber security policy creation starts with goals and objectives. ▪ It is also helpful to begin with the recognition that policy follows business or enterprise strategy, not the reverse. Cont’d… ▪ Policy is an extremely important component of strategy execution. ▪ This is because it is used to communicate desired outcomes. ▪ Every policy statement issued by the executives will be interpreted in the context of ▪ other plans, ▪ objectives, and ▪ operational environments ▪ that complete an organization’s cyber security posture. Cyber Security Management ▪ Many companies have established a Chief Security Office or Chief Information Security Office. ▪ But, those offices generally do not have line authority over operations that are critical to asset preservation and other security goals. ▪ These offices generally are skilled in the tools and techniques necessary to enforce security policy. ▪ But often do not have the understanding of business or mission that would be required to establish one. ▪ Also, many security professionals were trained in industries that were early security adopters such as military or finance. Cont’d… 1. Arriving at Goals To begin the process of developing cyber security policy, executives may ask themselves: ▪ What assets need to be in place to maintain operations? ▪ Which are the “crown jewels?” ▪ Are these changing and/or evolving with our long-term business plans? ▪ What cyberspace infrastructure houses or impacts our most critical assets? Cont’d… ▪ Do we have any information that should be kept from general circulation? If so: ▪ What criteria would we use to release it to someone within the organization? ▪ What criteria would we use to release it to someone outside the organization? ▪ If someone with access to it left the organization, should it still be protected? ▪ Do we participate in socio-technical networks with communities who are hostile to our interests? ▪ Are we subject to cyber threats simply from being a bystander within a larger community? Cont’d… ▪ These general environmental aspects of the cyber security leads to more detailed questions. ▪ These can be probed with the help of a cyber security task force composed of operations, financial, and technology staff. ▪ Such questions may be found in industry standard literature. 2. Cyber Security Documentation ▪ Policy awareness is a necessary step to complete after policy development and before implementation. ▪ People are sometimes not aware of the decisions made in strategy and policy. Cont’d… ▪ Then they will have no reason to implement in accordance with them. ▪ This is why security standards, operating procedures, and guidelines are also often issued in conjunction with policy. ▪ This is to demonstrate how compliance with a given policy may be achieved. ▪ Procedures are documented step-by-step implementation instructions. ▪ These are instructions that a technician may follow in order to be successful in implementing policy and standards. Cont’d… ▪ Guidelines are the most general type of security document. ▪ They are designed to raise awareness among those who must comply with policy. ▪ They provide options for policy compliance. ▪ Security professionals like CISOs are often the people who document cyber security policy. ▪ But these are not necessarily the same set of people as the cyber security strategists. ▪ Cyber security specialists often act as trusted advisors to executive decision makers. Cont’d… ▪ There is also a technique used by cyber security professionals, both security staff and auditors. ▪ Here policy and standards are translated into a set of questions about the technology environment. ▪ Directly evaluate technology is replaced by a cyber security assessor ▪ This contains a series of questions about the security of a given technology environment. ▪ These questions are typically formulated with a specific cyber security policy or standard in mind. Cont’d… ▪ But they do not replace the standard. ▪ They are information-gathering conveniences for the assessor. ▪ An executive fully understands the motivation and origin for enterprise security policy. ▪ This makes the process for implementation easy to manage as any other technology endeavor. Using the Catalog ▪ Each significant social, economic, institutional, and political segment of the community ▪ has a number of potential resources that can be brought to bear. ▪ There is a role for ▪ police, ▪ private security services, ▪ technology vendors, ▪ government, ▪ insurance industry, ▪ civic groups, ▪ business community, ▪ industry associations, and ▪ citizen organizations. Cont’d… ▪ Each group’s role needs clarity in its scope and potential impact on the overall problem. ▪ There is also a large class of policy statements that were omitted intentionally. ▪ These are technical security configurations for hardware and software components of cyberspace. ▪ Cyber attacks require coordinated response. ▪ In order to co-ordinate response, one first needs an ability to detect cyber attacks. ▪ Also access to intelligence with which to analyze them, and a method and means of response Cont’d… ▪ Policy should not only address goals. ▪ But also identify key barriers to goal achievement and anticipate resistance to change. ▪ The resistance may come from sources both internal and external to the organization. ▪ Those with experience in accountability for security measures well understand that security policy is often used as a shield against change.
Hacking With Kali Linux : A Comprehensive, Step-By-Step Beginner's Guide to Learn Ethical Hacking With Practical Examples to Computer Hacking, Wireless Network, Cybersecurity and Penetration Testing